From: Ranjeet Shetye (ranjeet.shetye2_at_zultys.com)
Date: Tue, 5 Aug 2003 10:46:37 -0700 To: email@example.com
On 2003.08.04 19:36, Derek Martin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Mon, Aug 04, 2003 at 12:53:40PM +0500, Ed J. Aivazian wrote:
> > For the users who should use sftp only, set an `empty' shell (eg.
> > #!/bib/sh \n echo "Good bye...")
> > don't forget to put the script in /etc/shells
> This will NOT work.
> $ sudo sh -c "echo -e '#!/bin/sh\necho goodby\nexit 0'
> $ sudo chmod +x /usr/local/bin/badshell
> $ sudo echo /usr/local/bin/badshell >> /etc/shells
> $ sudo chsh rudy
> Changing shell for rudy.
> New shell [/usr/local/bin/rssh]: /usr/local/bin/badshell
> Shell changed.
> $ sftp rudy@localhost
> Connecting to localhost...
> rudy@localhost's password:
> Received message too long 1198485348
> The problem here is that when you sftp to a host, sshd starts a copy
> of the user's shell, with the command-line options appropriate for
> running sftp-server, the server-side portion of sftp. Essentially:
> /path/to/shell -c /path/to/sftp-server
> Your version of a shell will not allow this to work.
> - --
> Derek D. Martin
> GPG Key ID: 0xDFBEAD02
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> -----END PGP SIGNATURE-----
what about just using a simple "/bin/false" for the login shell for
user ids that I dont want to log in but which I setup for sFTP ? that's
what I've setup on my workstation at work (which is anyways protected
by a corporate firewall - so I wouldn't ever see any cracking
attempts). Would appreciate if anyone can show me that using "/bin/
false" is NOT a secure way to shut off logins.
-- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye2 at Zultys dot com http://www.zultys.com/ -- The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys.